oxas-adv-2024-0003
Vulnerability from csaf_ox
Published
2024-04-24 00:00
Modified
2024-08-19 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2024-0003
{ document: { aggregate_severity: { text: "MEDIUM", }, category: "csaf_security_advisory", csaf_version: "2.0", lang: "en-US", publisher: { category: "vendor", name: "Open-Xchange GmbH", namespace: "https://open-xchange.com/", }, references: [ { category: "external", summary: "Release Notes", url: "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf", }, { category: "self", summary: "Canonical CSAF document", url: "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json", }, { category: "self", summary: "Markdown representation", url: "https://documentation.open-xchange.com/appsuite/security/advisories/md/2024/oxas-adv-2024-0003.md", }, { category: "self", summary: "HTML representation", url: "https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0003.html", }, { category: "self", summary: "Plain-text representation", url: "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2024/oxas-adv-2024-0003.txt", }, ], title: "OX App Suite Security Advisory OXAS-ADV-2024-0003", tracking: { current_release_date: "2024-08-19T00:00:00+00:00", generator: { date: "2024-08-19T07:26:47+00:00", engine: { name: "OX CSAF", version: "1.0.0", }, }, id: "OXAS-ADV-2024-0003", initial_release_date: "2024-04-24T00:00:00+02:00", revision_history: [ { date: "2024-04-24T00:00:00+02:00", number: "1", summary: "Initial release", }, { date: "2024-08-19T00:00:00+00:00", number: "2", summary: "Public release", }, { date: "2024-08-19T00:00:00+00:00", number: "3", summary: "Public release", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "7.10.6-rev61", product: { name: "OX App Suite backend 7.10.6-rev61", product_id: "OXAS-BACKEND_7.10.6-rev61", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev61:*:*:*:*:*:*", }, }, }, { category: "product_version", name: "8.22", product: { name: "OX App Suite backend 8.22", product_id: "OXAS-BACKEND_8.22", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:8.22:*:*:*:*:*:*:*", }, }, }, { category: "product_version", name: "7.10.6-rev62", product: { name: "OX App Suite backend 7.10.6-rev62", product_id: "OXAS-BACKEND_7.10.6-rev62", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev62:*:*:*:*:*:*", }, }, }, { category: "product_version", name: "8.23", product: { name: "OX App Suite backend 8.23", product_id: "OXAS-BACKEND_8.23", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:8.23:*:*:*:*:*:*:*", }, }, }, ], category: "product_name", name: "OX App Suite backend", }, { branches: [ { category: "product_version", name: "7.10.6-rev42", product: { name: "OX App Suite frontend 7.10.6-rev42", product_id: "OXAS-FRONTEND_7.10.6-rev42", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev42:*:*:*:*:*:*", }, }, }, { category: "product_version", name: "7.10.6-rev43", product: { name: "OX App Suite frontend 7.10.6-rev43", product_id: "OXAS-FRONTEND_7.10.6-rev43", product_identification_helper: { cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev43:*:*:*:*:*:*", x_generic_uris: [ { namespace: "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing", uri: "urn:open-xchange:app_suite:patch-id:6277", }, ], }, }, }, ], category: "product_name", name: "OX App Suite frontend", }, ], category: "vendor", name: "Open-Xchange GmbH", }, ], }, vulnerabilities: [ { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-03-01T16:15:20+01:00", ids: [ { system_name: "OX Bug", text: "MWB-2525", }, ], notes: [ { category: "description", text: "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite.", }, ], product_status: { first_fixed: [ "OXAS-BACKEND_7.10.6-rev62", "OXAS-BACKEND_8.23", ], last_affected: [ "OXAS-BACKEND_7.10.6-rev61", "OXAS-BACKEND_8.22", ], }, remediations: [ { category: "vendor_fix", date: "2024-04-11T14:13:57+02:00", details: "Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.", product_ids: [ "OXAS-BACKEND_7.10.6-rev61", "OXAS-BACKEND_8.22", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "OXAS-BACKEND_7.10.6-rev61", "OXAS-BACKEND_8.22", ], }, ], threats: [ { category: "impact", details: "The vulnerability can potentially be exploited through OX App Suite and affect availability of the service.", }, { category: "exploit_status", details: "No publicly available exploits are known.", }, ], title: "Apache Commons Compress library is prone to a denial of service (DoS) vulnerability.", }, { cve: "CVE-2024-25582", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-01-30T08:49:22+01:00", ids: [ { system_name: "OX Bug", text: "OXUIB-2718", }, ], notes: [ { category: "description", text: "Module savepoints could be abused to inject references to malicious code delivered through the same domain.", }, ], product_status: { first_fixed: [ "OXAS-FRONTEND_7.10.6-rev43", ], last_affected: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, remediations: [ { category: "vendor_fix", date: "2024-04-04T15:19:41+02:00", details: "Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.", product_ids: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, ], threats: [ { category: "impact", details: "Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account.", }, { category: "exploit_status", details: "No publicly available exploits are known.", }, ], title: "XSS using arbitrary relative path to UI module", }, { cve: "CVE-2021-41184", cwe: { id: "CWE-80", name: "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", }, discovery_date: "2024-01-15T14:01:36+01:00", ids: [ { system_name: "OX Bug", text: "OXUIB-2699", }, ], notes: [ { category: "description", text: "JQuery third-party components with known vulnerabilities have been shipped.", }, ], product_status: { first_fixed: [ "OXAS-FRONTEND_7.10.6-rev43", ], last_affected: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, remediations: [ { category: "vendor_fix", date: "2024-03-28T15:13:17+01:00", details: "Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.", product_ids: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "OXAS-FRONTEND_7.10.6-rev42", ], }, ], threats: [ { category: "impact", details: "This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible.", }, { category: "exploit_status", details: "No publicly available exploits are known.", }, ], title: "Outdated jquery-ui shipped with 7.10.6", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.